Ip forwarding

Hi,
I know there's much out there about this topic but I'd like you to
clarify this to me.
I've got 2 network interfaces:
a) 192.168.0.1 mask 255.255.255.0
b) 192.168.1.1 mask 255.255.255.0

and I would like packets incoming on interface (a) to be forwarded to
(b) and vice verse.

I tried with
echo 1 > /proc/sys/net/ipv4/ip_forward
echo 1 > /proc/sys/net/ipv4/conf/wlan0/forwarding
echo 1 > /proc/sys/net/ipv4/conf/eth1/forwarding

but still nothing good.. I guess I have to use the iptables tools but
I don't know much about their usage...
Could you lend me a hand?

Thank you guys
Riccardo

On 2007-12-27, InuY4sha <(E-Mail Removed)> wrote:
> I've got 2 network interfaces:
> a) 192.168.0.1 mask 255.255.255.0
> b) 192.168.1.1 mask 255.255.255.0
>
> and I would like packets incoming on interface (a) to be forwarded to
> (b) and vice verse.
>
> I tried with
> echo 1 > /proc/sys/net/ipv4/ip_forward

That's enough. Of course, machines from network a) need to know that
they have to send the packets for b) to the gateway machine, and the
other way around.

Davide

--
Some drink from the Fountain of Knowledge. Others just gargle. -- Dave Aronson
And some pee in it. -- moc.oohay

> > I tried with
> > echo 1 > /proc/sys/net/ipv4/ip_forward
>
> That's enough. Of course, machines from network a) need to know that
> they have to send the packets for b) to the gateway machine, and the
> other way around.

Thank you very much; as a prove that you are correct I'm right now
trying tcpdump this way

Machine1ping -----> Machine2[tcpdump]---------->router-->outerworld.

What I get is that the request is forwarded to the router but I get no
reply from that.
Gonna investigate a bit more... (if I ping the router from Machine2 it
works fine)

InuY4sha wrote:

> Hi,
> I know there's much out there about this topic but I'd like you to
> clarify this to me.
> I've got 2 network interfaces:
> a) 192.168.0.1 mask 255.255.255.0
> b) 192.168.1.1 mask 255.255.255.0
>
> and I would like packets incoming on interface (a) to be forwarded to
> (b) and vice verse.
>

Ja , so would I , glad you beat me to stirring this subject up, since I
decided not to send the message I wrote couple weeks ago because it was to long.
..
> I tried with
> echo 1 > /proc/sys/net/ipv4/ip_forward
> echo 1 > /proc/sys/net/ipv4/conf/wlan0/forwarding
> echo 1 > /proc/sys/net/ipv4/conf/eth1/forwarding
>
The first (at least) is done at boot on my SLACKware 12
but all the other files in that directory have 1 anyway.
I have tried same subnets, different but nothing.
The message saying "forwarding enabled" starts giving me stomach cramps.

I have
comp 1 eth1 comp2 eth0 comp3
win200 192.168.0.1 -- 192.168.0.8 Slack 12 192.168.67.1 --- 192.168.67.9 slack 12
currently mask 255.255.0.0 everywhere.

I have even added explicit "host routes"
route add 192.168.0.1 eth1
route add 192.168.67.8 eth0

When I ping from comp3 to 1 tcpdump -i eth1 on comp2 shows no traffic
and tcpdump on comp3 shows 'only' 'arp where are you: 192.168.0.1'

So is this forwarding part of the basic kernel or does this "networking/forwarding
kernel" just mean capable,??
While I was looking for where 'route add 192.168.0.1 eth1' is set (not in rc.local with the other one), I opened rc.ip_forward , which mentions rp_filter and therefore
ip_tables ( which is not exactly what I would consider part of kernel even if it is compiled with it).
When I type ip_tables -L 2 modules get loaded, is it just the 'user interface'
and what is the situation till then (if it is not just interface) , is it supposed to forward?
Few days ago I got into serioulish reading about iptables which said somewhere that packets are matched against only one chain so I tried the following without any luck.

iptables -A FORWARD -s 192.168.67.8 -d 192.168.0.1 -i eth0 -o eth1

and probably backwards too.

Thought I had it couple of times, but because I prefer to interact with comp2
over telnet , it is possible I forgot to switch to local console when trying both mounting and the other time ping.

After about 5 years of christmas messing around with this I am desperate enough
that I installed the kernel source tree few days ago.
Oh and high speed is on the way, but I am only trying it.
LOL.

cheers.

On Dec 27 2007, 4:30 am, InuY4sha <riccardomanf...@gmail.com> wrote:
> > > I tried with
> > > echo 1 > /proc/sys/net/ipv4/ip_forward
>
> > That's enough. Of course, machines from network a) need to know that
> > they have to send the packets for b) to the gateway machine, and the
> > other way around.
>
> Thank you very much; as a prove that you are correct I'm right now
> trying tcpdump this way
>
> Machine1ping -----> Machine2[tcpdump]---------->router-->outerworld.
>
> What I get is that the request is forwarded to the router but I get no
> reply from that.
> Gonna investigate a bit more... (if I ping the router from Machine2 it
> works fine)

Does the router know how to send packets back to machine1? from your
description it does not. I would hazard this is your typical linksys
or other
type dsl/cable router, in which you would have to tell it about a new
static
route which says "machine2 is the gateway to machine1"

Hello,

Sambo a écrit :
>
>> I tried with
>> echo 1 > /proc/sys/net/ipv4/ip_forward
>> echo 1 > /proc/sys/net/ipv4/conf/wlan0/forwarding
>> echo 1 > /proc/sys/net/ipv4/conf/eth1/forwarding
>>
> The first (at least) is done at boot on my SLACKware 12
> but all the other files in that directory have 1 anyway.

Changing net/ipv4/ip_forward also affects net/ipv4/conf/*/forwarding.

> I have tried same subnets, different but nothing.

Same IP subnets on different links is a bad idea. Keep the subnets
differents on each link. That's what IP subnets are for : tell what's on
the same link and what's not.

> The message saying "forwarding enabled" starts giving me stomach cramps.
> I have comp 1 eth1 comp2 eth0 comp3
> win200 192.168.0.1 -- 192.168.0.8 Slack 12 192.168.67.1 --- 192.168.67.9 slack 12
> currently mask 255.255.0.0 everywhere.

That's wrong, because it means that the same subnet 192.168.0.0/16 is
used on both links. Use 255.255.255.0 everywhere instead, so you'll have
192.168.0/24 and 192.168.67.0/24.

> I have even added explicit "host routes"
> route add 192.168.0.1 eth1
> route add 192.168.67.8 eth0

This is useless when you have the right mask, and insufficient to get
things working when you have the wrong mask.

> When I ping from comp3 to 1 tcpdump -i eth1 on comp2 shows no traffic
> and tcpdump on comp3 shows 'only' 'arp where are you: 192.168.0.1'

Because of the wrong mask, comp3 thinks that comp1 is on the same link.

> So is this forwarding part of the basic kernel or does this
> "networking/forwarding kernel" just mean capable,??

Forwarding is not responsible for the failure. Wrong subnet setup is.

> and what is the situation till then (if it is not just interface) , is
> it supposed to forward?

The router is supposed to forward packets that are sent to it. But here
no packets are sent to it as comp1 expects comp3 to be on the same link.

> Few days ago I got into serioulish reading about iptables [...]

Please don't involve iptables yet. Just accept everything, which is the
default when iptables is not loaded.

First, you need to set different subnet on each link.
Second, you need to tell comp1 and comp3 how to reach the other subnet.
This can be done by using the router's address in the same subnet as the
default gateway, or by adding a network route to the other subnet via
the router :

comp1(windows) : route add 192.168.67.0 mask 255.255.255.0 192.168.0.8
comp3(linux) : route add -net 192.168.0.0/24 gw 192.168.67.1

Pascal Hamburg wrote:

> Hello,
>
> Sambo a écrit :
>
>>
>>> I tried with
>>> echo 1 > /proc/sys/net/ipv4/ip_forward
>>> echo 1 > /proc/sys/net/ipv4/conf/wlan0/forwarding
>>> echo 1 > /proc/sys/net/ipv4/conf/eth1/forwarding
>>>
>> The first (at least) is done at boot on my SLACKware 12
>> but all the other files in that directory have 1 anyway.
>
>
> Changing net/ipv4/ip_forward also affects net/ipv4/conf/*/forwarding.
>

little correction to this ??filter files contain 0.

>> I have tried same subnets, different but nothing.
>
>
> Same IP subnets on different links is a bad idea. Keep the subnets
> differents on each link. That's what IP subnets are for : tell what's on
> the same link and what's not.
>
>> The message saying "forwarding enabled" starts giving me stomach cramps.
>> I have comp 1 eth1 comp2
>> eth0 comp3
>> win200 192.168.0.1 -- 192.168.0.8 Slack 12 192.168.67.1 ---
>> 192.168.67.9 slack 12
>> currently mask 255.255.0.0 everywhere.
>
>
> That's wrong, because it means that the same subnet 192.168.0.0/16 is
> used on both links. Use 255.255.255.0 everywhere instead, so you'll have
> 192.168.0/24 and 192.168.67.0/24.
>


Ok I have changed back to 255.255.255.0 and restarted.


> The router is supposed to forward packets that are sent to it. But here
> no packets are sent to it as comp1 expects comp3 to be on the same link.
>
I hope by "sent to it" you mean "reaching it" as opposed to "addressed to it",
or is packet wrapping involved here.

[on windows/ comp1]
Somehow I managed to enter route badly and ended up with the following table

C:\WINNT\SYSTEM32>route print
================================================== =========================
Interface List
0x1 ........................... MS TCP Loopback interface
0x1000003 ...00 01 02 43 e8 32 ...... 3Com EtherLink PCI
================================================== =========================
================================================== =========================
Active Routes:
Network Destination Netmask Gateway Interface Metric
127.0.0.0 255.0.0.0 127.0.0.1 127.0.0.1 1
192.168.0.0 255.255.255.0 192.168.0.1 192.168.0.1 1
192.168.0.1 255.255.255.255 127.0.0.1 127.0.0.1 1
192.168.0.255 255.255.255.255 192.168.0.1 192.168.0.1 1
192.168.67.8 255.255.255.255 192.168.0.9 192.168.0.1 1
224.0.0.0 224.0.0.0 192.168.0.1 192.168.0.1 1
255.255.255.255 255.255.255.255 192.168.0.1 192.168.0.1 1
================================================== =========================
Persistent Routes:
None

Since ping complained "network unreachable"
I deleted it and after many unsuccessful attempts to enter host route I had to settle
for network route.

C:\WINNT\SYSTEM32>route add 192.168.67.0 mask 255.255.255.0 192.168.0.9

C:\WINNT\SYSTEM32>route print
================================================== =========================
Interface List
0x1 ........................... MS TCP Loopback interface
0x1000003 ...00 01 02 43 e8 32 ...... 3Com EtherLink PCI
================================================== =========================
================================================== =========================
Active Routes:
Network Destination Netmask Gateway Interface Metric
127.0.0.0 255.0.0.0 127.0.0.1 127.0.0.1 1
192.168.0.0 255.255.255.0 192.168.0.1 192.168.0.1 1
192.168.0.1 255.255.255.255 127.0.0.1 127.0.0.1 1
192.168.0.255 255.255.255.255 192.168.0.1 192.168.0.1 1
192.168.67.0 255.255.255.0 192.168.0.9 192.168.0.1 1
224.0.0.0 224.0.0.0 192.168.0.1 192.168.0.1 1
255.255.255.255 255.255.255.255 192.168.0.1 192.168.0.1 1
================================================== =========================
Persistent Routes:
None

C:\WINNT\SYSTEM32>

But when I tried the following :
C:\WINNT\SYSTEM32>route add 192.168.67.0 mask 255.255.255.0 interface 10000003
ROUTE: bad gateway address interface

So is the gateway address really needed to address the packets to the gateway?
Did I read about packet wrapping in masqrading. Hmmm.

So here is the routing table for comp2

root@LNX-A350:/home/sambo# route
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
LNX-P800 * 255.255.255.255 UH 0 0 0 eth0
192.168.67.0 * 255.255.255.0 U 0 0 0 eth0
localnet * 255.255.255.0 U 0 0 0 eth1
loopback * 255.0.0.0 U 0 0 0 lo
default sambo-main 0.0.0.0 UG 1 0 0 eth1
root@LNX-A350:/home/sambo#

Well the explicit route from (the one I was not sure of where it was coming from),
I may have to remove the LNX-P800 to eth0 from my rc.local

STRANGE thing is that localnet is now on eth1 not eth0???


Well off to comp3
SACREBLE it's working, was it the windows route?
windows dialed out

tcpdump -i eth1
where are you 192.168.0.1
at aa:bb:cc:dd:ee:ff
ICMP echo request
ICMp reply
a.iana-severs.net.domain ------------ AAAA?
[lau]
ptr <-- I think
^c

200 packets captured
2000+ received by filter
3000+ dropped by kernel

and similarly strange packets to about 100 other computers(nameservers?)
whose list I have seen somewhere.

Heh, hope I can get this to happen on comp2.

From slack 9 , 10, 10.2 and 12, thinking 192.168.0.x only had 256 addresses and trying to subnet with 255.255.255.224, ( address 192.168.0.33 and 34 ), I couldn't get this right?....


One more thing I was wondering about for the last few days is
the difference between gateway and IFace column in the Linux
route listing. Since my understanding always was that this is only
to indicate which interface to send a packet addressed to given address on.

In any case.

Thanks a lot.

Sambo a écrit :
>>>
>>>> echo 1 > /proc/sys/net/ipv4/ip_forward
>>>> echo 1 > /proc/sys/net/ipv4/conf/wlan0/forwarding
>>>> echo 1 > /proc/sys/net/ipv4/conf/eth1/forwarding
>>>>
>>> The first (at least) is done at boot on my SLACKware 12
>>> but all the other files in that directory have 1 anyway.
>>
>> Changing net/ipv4/ip_forward also affects net/ipv4/conf/*/forwarding.
>
> little correction to this ??filter files contain 0.

Filter files ? What do you mean ?

>> The router is supposed to forward packets that are sent to it. But
>> here no packets are sent to it as comp1 expects comp3 to be on the
>> same link.
>>
> I hope by "sent to it" you mean "reaching it" as opposed to "addressed
> to it", or is packet wrapping involved here.

I mean "addressed to it" at link layer (MAC address). Packets that are
meant to be forwarded by a router must be sent to its MAC address on the
link. This MAC address is obtained by doing an ARP query to the router's
local IP address, which is the gateway address in the routing table.

> [on windows/ comp1]
[...]
> C:\WINNT\SYSTEM32>route add 192.168.67.0 mask 255.255.255.0 192.168.0.9

Why 192.168.0.9 ? According to your diagram, comp2's eth1 address is
192.168.0.8.

> But when I tried the following :
> C:\WINNT\SYSTEM32>route add 192.168.67.0 mask 255.255.255.0
> interface 10000003
> ROUTE: bad gateway address interface

According to route help, the correct keyword to specify an interface is
"IF", not "INTERFACE". Anyway you don't want to create a direct route,
so you must specify a gateway, not just an interface.

> So is the gateway address really needed to address the packets to the
> gateway?

Yes it is.

> Did I read about packet wrapping in masqrading. Hmmm.

What are you talking about ? No masquerading is involved here, just
plain IP forwarding.

> So here is the routing table for comp2

Please use "route -n" (ou even better "ip route") so numeric IP
addresses are not resolved into obscure names.

> Well off to comp3
> SACREBLE it's working, was it the windows route?
> windows dialed out
> tcpdump -i eth1 where are you 192.168.0.1

Same here, pleas use option -n so numeric addresses are not resolved
into names.

> Heh, hope I can get this to happen on comp2.

Get *what* to happen ?
Please try to be clearer and more precise in describing your settings,
tests and results.

> From slack 9 , 10, 10.2 and 12, thinking 192.168.0.x only had 256
> addresses

And only 254 usable host addresses, .0 and .255 being reserved as
network and broadcast addresses. So what ?

> and trying to subnet with 255.255.255.224, ( address
> 192.168.0.33 and 34 ), I couldn't get this right?....

Get *what* right ?
Why the hell would you want to subnet 192.168.0.0/24 ?

> One more thing I was wondering about for the last few days is the
> difference between gateway and IFace column in the Linux route listing.
> Since my understanding always was that this is only to indicate which
> interface to send a packet addressed to given address on.

The interface column contains the output interface for a given
destination. The gateway column optionnally contains the address of the
next hop router if the destination is not directly reachable on the
network attached to the output interface. The gateway address must be
directly reachable on the network attached to the output interface.

"*" or 0.0.0.0 as the gateway means that the destination is directly
reachable on the network attached to the output interface. In this case
you can consider that the next hop address is equal to the destination
address.

In both cases the packet is sent on the link to the next hop MAC address.

Pascal Hambourg wrote:
> Sambo a écrit :
>
>>>
>>> Changing net/ipv4/ip_forward also affects net/ipv4/conf/*/forwarding.
>>
>>
>> little correction to this ??filter files contain 0.
>
>
> Filter files ? What do you mean ?
>

/proc/sys/net/ipv4/conf/eth0/rpfilter
/proc/sys/net/ipv4/conf/eth1/rpfilter

>>>
>> I hope by "sent to it" you mean "reaching it" as opposed to "addressed
>> to it", or is packet wrapping involved here.
>
>
> I mean "addressed to it" at link layer (MAC address). Packets that are
> meant to be forwarded by a router must be sent to its MAC address on the
> link. This MAC address is obtained by doing an ARP query to the router's
> local IP address, which is the gateway address in the routing table.
>
Oh , sorry, that makes sense.

>
>
> Why 192.168.0.9 ? According to your diagram, comp2's eth1 address is
> 192.168.0.8.
>

Yes, interchanged the 8 and 9 the first time.

> The interface column contains the output interface for a given
> destination. The gateway column optionnally contains the address of the
> next hop router if the destination is not directly reachable on the
> network attached to the output interface. The gateway address must be
> directly reachable on the network attached to the output interface.
>
> "*" or 0.0.0.0 as the gateway means that the destination is directly
> reachable on the network attached to the output interface. In this case
> you can consider that the next hop address is equal to the destination
> address.
>
> In both cases the packet is sent on the link to the next hop MAC address.

Yes, must be MAC addressed to somebody in the neighbourhood, carrying any INET
destination address, GOT IT.

Sambo a écrit :
>
>>> little correction to this ??filter files contain 0.
>>
>> Filter files ? What do you mean ?
>
> /proc/sys/net/ipv4/conf/eth0/rpfilter
> /proc/sys/net/ipv4/conf/eth1/rpfilter

I guess you mean rp_filter. This parameter is not involved in forwarding.

ip-sysctl.txt :

rp_filter - BOOLEAN
1 - do source validation by reversed path, as specified in RFC1812
Recommended option for single homed hosts and stub network
routers. Could cause troubles for complicated (not loop free)
networks running a slow unreliable protocol (sort of RIP),
or using static routes.

0 - No source validation.

conf/all/rp_filter must also be set to TRUE to do source validation
on the interface

Default value is 0. Note that some distributions enable it
in startup scripts.